General

  • Target

    bb89a86c0efde745fa557036ff54500cb62130972446b89584c1d98062b4962b.bin.sample

  • Size

    194KB

  • Sample

    210920-mz4lmsgdek

  • MD5

    643add5f97cc9be75e5d76dda4d1dd11

  • SHA1

    27414b414f8e69758964b9d78cc08ff663c53d09

  • SHA256

    bb89a86c0efde745fa557036ff54500cb62130972446b89584c1d98062b4962b

  • SHA512

    1a3c84d866107a9b69fa8562bb3833ca521a667bbb5d0c0137c8ce9935222e11fb24c7ff69870dc5e7507b5f0af10442afb771f92b1992ef18b49a18a13b121b

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- TTsTjmCU8actiNSD6akn5bbmVxlnhLcrRkONwmB8EWHGOZ4lU7cFRodOrdAj2rsf ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Targets

    • Target

      bb89a86c0efde745fa557036ff54500cb62130972446b89584c1d98062b4962b.bin.sample

    • Size

      194KB

    • MD5

      643add5f97cc9be75e5d76dda4d1dd11

    • SHA1

      27414b414f8e69758964b9d78cc08ff663c53d09

    • SHA256

      bb89a86c0efde745fa557036ff54500cb62130972446b89584c1d98062b4962b

    • SHA512

      1a3c84d866107a9b69fa8562bb3833ca521a667bbb5d0c0137c8ce9935222e11fb24c7ff69870dc5e7507b5f0af10442afb771f92b1992ef18b49a18a13b121b

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks